/*
 * 
 * LegendShop 多用户商城系统
 * 
 *  版权所有,并保留所有权利。
 * 
 */
package com.legendshop.oa.filter.handler;

import java.util.HashMap;
import java.util.Map;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import com.legendshop.util.AppUtils;

/**
 * 过滤xss攻击
 * @author tony
 * 
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

	
    /**
     * The request parameters for this request.  This is initialized from the
     * wrapped request, but updates are allowed.
     */
    protected Map<String, String[]> parameters = null;

	public XssHttpServletRequestWrapper(HttpServletRequest request) {
		super(request);
	}

	public String[] getParameterValues(String parameter) {
		return parseParameters(parameter);
	}

	public String getParameter(String parameter) {
        String[] value =parseParameters(parameter);
        if (value == null) {
            return null;
        }
        return value[0];
	}

	public String getHeader(String name) {
		String value = super.getHeader(name);
		if (value == null)
			return null;
		//return cleanXSS(value);
		return value;
	}
	
	
	private  String[] parseParameters(String name) {
        if (parameters == null) {
        	 parameters = new HashMap<String, String[]>();
        }
        String[] values = parameters.get(name);
        if(values != null){
        	return values;
        }else{
        	values = super.getParameterValues(name);
        	if(values != null){
        		int count = values.length;
        		String[] encodedValues = new String[count];
        		for (int i = 0; i < count; i++) {
        			encodedValues[i] = cleanXSS(values[i]);//转换
        		}
        		parameters.put(name, encodedValues);//放置转换好的参数
        	}
        }
        return values;
    }
	
	/**
	 * 过滤Html javascript 和sql
	 * @param src
	 * @return
	 */
	private  String cleanXSS(String value) {
		if(AppUtils.isBlank(value)){
			return value;
		}
//		if(true){
//			return src;
//		}
//		String threadName = Thread.currentThread().getName();
//		System.out.println(threadName + " : cleanXSS 1        ===================== " + src);
//		src = StringEscapeUtils.escapeHtml(src);
//		src = StringEscapeUtils.escapeJavaScript(src);
//		src = StringEscapeUtils.escapeSql(src);
//		System.out.println(threadName + " : cleanXSS  2       ===================== " + src);
//		return src;
	//	String threadName = Thread.currentThread().getName();
	//	System.out.println(threadName + " : cleanXSS 1        ===================== " + value);
        //You'll need to remove the spaces from the html entities below
		  value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
		  value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
		  value = value.replaceAll("'", "& #39;");
		  value = value.replaceAll("eval\\((.*)\\)", "");
		  value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
		 // value = value.replaceAll("script", "");
//		  System.out.println(threadName + " : cleanXSS 2        ===================== " + value);
		  return value;
	}
    

}
